action.yaml

name: setup-mkosi
description: Install mkosi

runs:
  using: composite
  steps:
    - name: Permit unprivileged access to kvm, vhost-vsock and vhost-net devices
      shell: bash
      run: |
        sudo mkdir -p /etc/tmpfiles.d
        sudo cp /usr/lib/tmpfiles.d/static-nodes-permissions.conf /etc/tmpfiles.d/
        sudo sed -i '/kvm/s/0660/0666/g'   /etc/tmpfiles.d/static-nodes-permissions.conf
        sudo sed -i '/vhost/s/0660/0666/g' /etc/tmpfiles.d/static-nodes-permissions.conf
        sudo tee /etc/udev/rules.d/99-kvm4all.rules <<- EOF
        KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"
        KERNEL=="vhost-vsock", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-vsock"
        KERNEL=="vhost-net", GROUP="kvm", MODE="0666", OPTIONS+="static_node=vhost-net"
        EOF
        sudo udevadm control --reload-rules
        # kvm/vhost might not be available (e.g.: s390x, ppc64le)
        sudo modprobe kvm || true
        sudo modprobe vhost_vsock || true
        sudo modprobe vhost_net || true
        [[ -e /dev/kvm ]] && sudo udevadm trigger --name-match=kvm
        [[ -e /dev/vhost-vsock ]] && sudo udevadm trigger --name-match=vhost-vsock
        [[ -e /dev/vhost-net ]] && sudo udevadm trigger --name-match=vhost-net
        [[ -e /dev/kvm ]] && sudo chmod 666 /dev/kvm
        [[ -e /dev/vhost-vsock ]] && sudo chmod 666 /dev/vhost-vsock
        [[ -e /dev/vhost-net ]] && sudo chmod 666 /dev/vhost-net
        lsmod
        [[ -e /dev/kvm ]] && ls -l /dev/kvm
        [[ -e /dev/vhost-vsock ]] && ls -l /dev/vhost-vsock
        [[ -e /dev/vhost-net ]] && ls -l /dev/vhost-net
        id

    - name: Check clock source
      shell: bash
      run: cat /sys/devices/system/clocksource/clocksource0/current_clocksource

    - name: Show environment
      shell: bash
      run: env

    - name: Show CPU
      shell: bash
      run: lscpu

    - name: Show memory
      shell: bash
      run: lsmem

    - name: Enable unprivileged user namespaces
      shell: bash
      run: |
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0

    - name: Create missing mountpoints
      shell: bash
      run: |
        sudo mkdir -p /var/lib/ca-certificates

    # Both the unix-chkpwd and swtpm profiles are broken (https://gitlab.com/apparmor/apparmor/-/issues/402) so let's
    # just disable and remove apparmor completely. It's not relevant in this context anyway.
    # TODO: Remove if https://github.com/actions/runner-images/issues/10015 is ever fixed.
    - name: Disable and mask apparmor service
      shell: bash
      run: |
        # This command fails with a non-zero error code even though it unloads the apparmor profiles.
        # https://gitlab.com/apparmor/apparmor/-/issues/403
        sudo aa-teardown || true
        sudo apt-get remove apparmor

    - name: Ensure git history is available
      shell: bash
      run: |
        if [[ ! -e "$X_GITHUB_ACTION_PATH/.git" ]]; then
            rm -rf "$X_GITHUB_ACTION_PATH"
            git clone "https://github.com/$X_GITHUB_ACTION_REPOSITORY" "$X_GITHUB_ACTION_PATH"
            git -C "$X_GITHUB_ACTION_PATH" checkout "$X_GITHUB_ACTION_REF"
        fi
      # https://github.com/actions/runner/issues/2473
      env:
        X_GITHUB_ACTION_REPOSITORY: ${{ github.action_repository }}
        X_GITHUB_ACTION_PATH: ${{ github.action_path }}
        X_GITHUB_ACTION_REF: ${{ github.action_ref }}

    - name: Install
      shell: bash
      run: sudo ln -svf $X_GITHUB_ACTION_PATH/bin/mkosi /usr/bin/mkosi
      # https://github.com/actions/runner/issues/2473
      env:
        X_GITHUB_ACTION_PATH: ${{ github.action_path }}

    - name: Dependencies
      shell: bash
      run: |
        sudo apt-get update
        sudo apt-get install --assume-yes --no-install-recommends \
          debian-archive-keyring \
          dnf \
          makepkg \
          pacman-package-manager \
          zypper